## NemoClaw Fixes Critical Re-onboarding Bug: Ollama Loopback Override Skipped on Existing Installations A critical configuration flaw in NemoClaw left pre-existing Ollama instances bound to all network interfaces, despite displaying a deceptive success message. The bug, now patched in commit addressing issue #3342, caused systems that re-onboarded after an older NemoClaw installation to silently remain exposed to remote network access — matching the conditions documented under CVE-2024-37032 and CNVD-2025-04094. The vulnerability originated in how the inference selector wizard handled the systemd drop-in configuration. When NemoClaw first installed Ollama, it correctly applied `OLLAMA_HOST=127.0.0.1:11434` via a systemd override at `/etc/systemd/system/ollama.service.d/override.conf`, restricting the service to loopback only. However, this logic was embedded entirely within the `install-ollama` code branch. Hosts re-onboarding with a pre-existing Ollama — particularly those with older NemoClaw releases that had bound `0.0.0.0:11434` — never triggered the override correction. The wizard nonetheless logged a green checkmark confirming "Using Ollama on localhost:11434," masking the misconfiguration from operators. The fix extracts the override logic into a dedicated `ensureOllamaSystemdLoopbackOverride()` helper function, positioned alongside `checkOllamaPortsOrWarn` at the correct scope. This helper — designed to be idempotent — now executes from both the fresh-install and existing-Ollama branches, automatically correcting any loopback binding mismatch. Systems that had been silently exposed now receive the proper systemd configuration on their next re-onboarding cycle. Organizations running NemoClaw with Ollama should verify their override.conf explicitly contains `127.0.0.1` binding and consider an immediate re-onboarding to apply the corrected configuration if uncertainty exists about the current state. --- - **Source**: GitHub Issues - **Sector**: The Vault - **Tags**: ollama, loopback, systemd, CVE-2024-37032, CNVD-2025-04094 - **Credibility**: unverified - **Published**: 2026-05-12 01:48:26 - **ID**: 82046 - **URL**: https://whisperx.ai/en/intel/82046